'States' Rights' Shouldn't Be the Rule for Data Privacy
Nevada just became the latest state to propose its own regulations on data privacy and how consumer data is used by websites. Democrat State Senator Catherine Cortez Masto’s Data Privacy Act takes the unprecedented step of trying to ban targeted advertising based on race. But the news highlights the desperate need for uniform federal data privacy protections to supersede state laws like California’s controversial Consumer Privacy Act of 2018, since a patchwork of laws across 50 different states is untenable for the increasingly global tech space, and will come at immense cost for both consumers and small business.
Privacy data rulings must come through a singular federal approach to ensure a thriving, competitive tech space that doesn’t shut out smaller, less-resourced players.
The Nevada bill is an apt example of the confusion and costs that unique state laws can cause. It allows the Federal Trade Commission (FTC) to define discriminatory practices in online advertising and data collection, and expands their power to penalize them. While it is claimed that the bill is in the spirit of ‘civil rights,’ it is likely to instead cause harm and uncertainty. For example, is it racial targeting to advertise fairness creams that are almost exclusively popular amongst some Asian demographics? If yes, then doesn’t the same logic apply to the advertising of tanning services popular among Caucasians? How are the interests of these groups protected by banning targeted advertising?
Even federally, laws that try to give users greater control over the way that media platforms like Facebook and Google use their data can hit businesses hard — stressing the need for a sensible approach. We already see the havoc wreaked by extant privacy legislation, like the European Union’s Global Data Protection Right (GDPR) and California’s Privacy Act (CPA). These laws give users the right to demand that tech companies export their personal data only on request — and the right to demand deletion of that data, amidst other controls. Yet, even two years after the E.U.’s GDPR was announced in 2016, many businesses, including 70 percent of U.K. tech businesses, remained non-compliant with its heavy requirements.
Particularly for smaller and mid-sized players, the cost and difficulty of complying was far too significant. Indeed, it required the wholesale redesign of common marketing practices like individual targeting from advertising companies — something both the GDPR and CPA only permit on an opt-in basis. So harsh were these changes that an entirely new industry was created to help businesses comply, with an unmet demand for specialized “data protection officers,” given the shortage of qualified people for the job.
Even businesses large or well-resourced enough to bear these costs had to divert time and resources away from providing better products and user experiences, instead spending them on regulatory compliance at the behest of a stringent, needless mandate.
International accounting firm EY estimated the compliance costs of the GDPR for Fortune 500 companies operating across 28 EU countries to be a staggering $16 million over two years, with the average compliance cost for a mid-sized business estimated at over half a million.
In the United States, those sorts of costs might have to be multiplied by 50 just to ensure a firm can legally conduct its business across the country should each state adopt its own unique data privacy requirements. That could be the reality if California’s example is followed elsewhere.
But it gets worse. Fines for breaching the GDPR can go up to $23.86 million or four percent of a company’s global revenue. Now imagine dealing with fines levied by up to 50 different American jurisdictions. It doesn’t help that states have an incentive to compete with each other to levy exorbitant fines for lining their own coffers.
A grim patchwork of state-based data privacy laws will only put the boot on innovative businesses and investors. It’ll also entrench the market share of big players like Google, Amazon and Facebook while grossly undermining smaller businesses. Ultimately, competition will be thinned — raising costs and only hurting the consumers it’s meant to empower.
Businesses and consumers don’t deserve to be fleeced by greedy state legislators claiming to “empower” them by creating mandates over data they’ve already consented to provide the companies with. After all, studies show that over half of all consumers don’t mind companies using their data if they gain some benefit in return, and a further quarter are entirely unconcerned about the use of their data. Consumers and businesses shouldn’t be prodded with a hot iron into delivering something that a vast majority of us don’t even want.
Satya Marar is a Young Voices contributor and Policy Director at the Australian Taxpayers’ Alliance, a 75,000+ member grassroots taxpayer advocacy group that fights for limited and efficient government and consumer choice.